Hackers could net $360M from SC taxpayers

Tuesday

Nov 13, 2012 at 12:01 AMNov 14, 2012 at 1:24 AM

COLUMBIA — Using state tax information belonging to just a small fraction of the 4.5 million S.C. consumers and businesses could net hackers enough money to buy every ticket at Williams-Brice Stadium for a dozen years.

By ANDREW SHAINThe (Columbia) State

COLUMBIA — Using state tax information belonging to just a small fraction of the 4.5 million S.C. consumers and businesses could net hackers enough money to buy every ticket at Williams-Brice Stadium for a dozen years.Thieves could swipe $360 million by emptying bank accounts from 1 percent of affected taxpayers, said security expert Chris Swecker, who headed the FBI office in Charlotte, N.C., and corporate security at Bank of America. His estimate was based on estimates used by the FBI.“Tax returns are the holy grail for the bad guys,” Swecker said Tuesday after speaking at a state data-security symposium organized by S.C. Treasurer Curtis Loftis that drew more than 200 people. “That's toxic waste now. That's out there in the wild.”More than two weeks after revealing the massive data breach at the S.C. Department of Revenue, state officials said they still are awaiting a report from investigators to share with the public. Gov. Nikki Haley said she expects to release details this week.“I desperately want to know what happened, how it happened, why it happened,” she said Tuesday.Haley repeated she has not singled out any state employee or workers as responsible for the breach. “I constantly want somebody to blame, but the last thing I'm going to do is pass judgment on someone when I'm not sure who that person is,” she said.Few details have been released about the investigation except that state-approved credentials were used to take tax data going back to 1998. Using a rogue program, hackers tricked someone into opening a file to gain access to the Revenue Department system, The (Charleston) Post and Courier reported last week.Swecker said crooks use malicious programs to gather intelligence about people with the broadest access in organizations they hit.“They understand where they want to go,” he said.Swecker said South Carolina should have a central authority over information technology. It also needs policies that allow employees quickly to report that they might have opened a suspicious email or visited a bogus website so security teams can catch viruses and malware as soon as possible. State agencies now operate their own information-technology departments.

The state inspector general is working on a plan to coordinate computer security among agencies.Swecker said he did know why South Carolina was targeted, but the state might not be alone. “I wouldn't be surprised this didn't happen in other places and they don't know it.”South Carolina has not released what data was taken, but tax returns typically have all the identifying information hackers want in one spot — names, addresses, birth dates, Social Security numbers and income amounts.Crooks will look to hit high-income taxpayers and businesses, Swecker said.Thieves will apply for credit cards and loans, file false tax returns and medical claims, and empty bank accounts. Though few accounts are likely to be hit, banks will replace stolen money if thefts are reported within 60 days of receiving account statements.The state likely learned about the breach when the Secret Service noticed S.C. information being sold on the black market, Swecker said. The Secret Service told state officials about the data hacking on Oct. 10, nearly a month after it happened.“You can close the vulnerability now, but the data is out there, and it's going to get sold and resold and resold and resold for years to come,” Swecker said. “They might sit on it for a year.”